When employees bring their own devices, they also bring headaches

You allow your employees to bring their own smart phones to work. One day your enterprise's connection to the Internet goes down. Joe from marketing is not concerned. He sends an internal email around to some of your other employees, giving them the SSID and password to a mobile hot spot he's set up using his phone's wireless connection. “I've got 4G; we won't even notice the difference,” he says.

Everybody he's emailed turns on wireless on their laptops and gets back to work. As word of mouth spreads, others configure their phones as hot spots as well and share the information. Your entire office is happily working away while your assistant is calling your Internet provider to get an ETA for repair.

Is it a good thing that your employees have found a way to work? Sure -- if you don't mind that your corporate data is now flowing over networks you have no way to control. Suddenly, your firewalls, network intrusion detection, vulnerability scanners, sniffers, loggers and real-time monitoring all are useless.

Not only are your employees' smart phones' carriers now controlling your data flow, but you have no control over how secure their hot spots are. Someone could be connecting to one of them and seeing whatever is on Cindy's laptop. If that just happens to be company proprietary information, you've just given away the store.

Aside from being very vigilant, or not allowing BYOD at all, there are some things that you can do to discourage your users from setting up mobile hot spots to do their work. You can set up a secondary Internet connection that is, perhaps, less robust than your primary connection but that can be used if the primary connection goes down, and fortify it with NIDS and monitors so that you have control over it. Your users then can connect to that network and continue to do their work, but you need to make sure that they connect to the regular network when its Internet connection comes back up.

You can monitor for “rogue” wireless access points in your office space -- which you should be doing anyway -- and if your users are using their smart phones to create hot spots, you can take action. If you are going to do this, you should make sure that setting up such access is specifically disallowed in your security policy -- which it should be -- and make sure that your users have signed an Acceptable Use Policy if they are bringing their own devices in.

You can prevent your users from connecting to wireless at all from their work machines, but if they are using laptops, that may be a little harder to do, since presumably you would want them to be able to make such connections when they are traveling or working from home. Another similar solution might be to have those with wireless capability use an alternate workspace if you are not already doing that, so that they will (presumably) already have safeguards for their machines and data in place when they connect to the Internet. All other users would be restricted to Ethernet only, so that they wouldn't have the ability to connect to a rogue wireless hotspot.

The problem of BYOD and Bring Your Own Network isn't going away, but there are ways that you can manage it. Just be aware that this scenario can occur, and take steps to prevent it before it happens.

Mary Ursula Herrmann

Mary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.